Unfortunately, the domain was down, and we couldn't get a copy of the final payload. After going through all the effort to compromise Skype ads and spread fake Flash Player updates through such a noisy method, the attacker would have most likely infected victims with a malware that was worth the trouble, such as a banking trojan or ransomware. Nonetheless, this couldn't be confirmed at the time of writing.

Sprawling network of interconnected domains

Two domains were spotted pushing the fake Flash Player updates: oyomakaomojiya[.]org and cievubeataporn[.]net. Both were registered with Cock.li email accounts: jonathandpreston@wants.dicksinhisan[.]us and edwardslawler@dicksinmyan[.]us, respectively.

Both emails have been used to register a large number of shady domains, most of which have entries on VirusTotal, listing all sorts of suspicious activity.

The first email address has been used to register the following domains:

"The first registered domain for both email addresses is on 2017-02-22," said MalwareHunter, who helped with this investigation. "Surely there is a connection between the two."

Professional malvertising group behind the attacks

Some of the IP addresses where these sites have been hosted resolved to servers that hosted a multitude of other malicious domains in the past.

Taking a random IP, MalwareHunter found another domain that was also hosted on the same server and caught pushing suspicious JS files for download in the past.

This domain was registered with the email address justincabel@airmail.cc, which in the same manner of the two previous emails, was used to register 35+ domains starting that day, February 23, a day after the two other emails were used to register their domains.

As we dug deeper, it became clear we were dealing with a skilled group that was registering and throwing away a large number of domains on a daily basis, most likely as part of a professional malvertising operation. At no time were we able to obtain a final payload, showing the speed with which operators moved from one domain to the next.

This is not the first time Skype has been plagued by malvertising campaigns. It happened in 2014 [1, 2], 2015, and 2016.

Regarding this latest incident, the Reddit user who first noticed the attack said Skype support denied that anything went wrong on their side. On Reddit, users shared various method on how to block Skype adds [1, 2].

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.